package auth

import (
	"context"
	"log"
	"reflect"

	"git.aiterp.net/rpdata/api/models"
)

// CheckPermission does some magic.
func CheckPermission(ctx context.Context, op string, obj interface{}) error {
	token := TokenFromContext(ctx)
	if token == nil {
		return ErrUnauthenticated
	}

	if reflect.TypeOf(obj).Kind() != reflect.Ptr {
		return CheckPermission(ctx, op, &obj)
	}

	var authorized = false

	switch v := obj.(type) {
	case *models.Channel:
		authorized = token.Permitted("channel." + op)
	case *models.Character:
		authorized = token.PermittedUser(v.Author, "member", "character."+op)
	case *models.Chapter:
		authorized = token.PermittedUser(v.Author, "member", "chapter."+op)
	case *models.Comment:
		if op == "add" && v.Author != token.UserID {
			return ErrInvalidOperation
		}

		authorized = token.PermittedUser(v.Author, "member", "comment."+op)
	case *models.File:
		authorized = token.PermittedUser(v.Author, "member", "file."+op)
	case *models.Log:
		authorized = token.Permitted("log." + op)
	case *models.Post:
		authorized = token.Permitted("post." + op)
	case *models.Story:
		authorized = token.PermittedUser(v.Author, "member", "story."+op)
	case *models.User:
		authorized = token.Permitted("user." + op)
	default:
		log.Panicf("Invalid model %T: %#+v", v, v)
	}

	if !authorized {
		return ErrUnauthorized
	}

	return nil
}